Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Java Security Manager Reloaded - Devoxx 2014

1,928 views

Published on

Slides for my Devoxx tools-in-action speech. Basics of Java Security Manager are covered there. A new library called pro-grade which helps to keep your life with java security easy is introduced.

Published in: Software
  • Be the first to comment

Java Security Manager Reloaded - Devoxx 2014

  1. 1. Java Security Manager Reloaded Josef Cacek Senior Quality Engineer Red Hat / JBoss #Devoxx #jsm-reloaded @jckwart
  2. 2. Agenda ● Java Security Manager – quickstart – issues ● Reloaded – there is an easier way – pro-grade library #Devoxx #jsm-reloaded @jckwart
  3. 3. Do you run ? #Devoxx #jsm-reloaded @jckwart
  4. 4. Do you run apps with Java Security Manager ? #Devoxx #jsm-reloaded @jckwart
  5. 5. You should be affraid You are treatened! #Devoxx #jsm-reloaded @jckwart
  6. 6. Threats ● bugs in libraries – lazy programmers ● hidden features – evil programmers ● man-in-the-middle – The Hackers #Devoxx #jsm-reloaded @jckwart
  7. 7. Java has a solution #Devoxx #jsm-reloaded @jckwart
  8. 8. Java Security Manager (JSM) checks if the caller has permissions to run protected actions. #Devoxx #jsm-reloaded @jckwart
  9. 9. Terminology Sensitive code calls extends java.lang.SecurityManager Security Manager enforces Policy Permissions extends java.security.Policy extends java.security.Permission #Devoxx #jsm-reloaded @jckwart
  10. 10. Example: Sensitive code calling JSM SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission( new org.jboss.SimplePermission("getCache")); #Devoxx #jsm-reloaded @jckwart
  11. 11. Example: Sensitive code calling JSM AccessControl SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission( Exception new org.jboss.SimplePermission("getCache")); #Devoxx #jsm-reloaded @jckwart
  12. 12. Policy ● keeps which protected actions are allowed – No action by default ● defined in policy file ● grant entries assigns Permissions to – code path [codeBase] – signed classes [signedBy] – authenticated user [principal] #Devoxx #jsm-reloaded @jckwart
  13. 13. Example: Policy file keystore "/opt/redhat.keystore"; grant { permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; }; #Devoxx #jsm-reloaded @jckwart
  14. 14. Example: Policy file keystore "/opt/redhat.keystore"; grant { permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; }; #Devoxx #jsm-reloaded @jckwart
  15. 15. Example: Policy file keystore "/opt/redhat.keystore"; grant { permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; }; #Devoxx #jsm-reloaded @jckwart
  16. 16. Example: Policy file keystore "/opt/redhat.keystore"; grant { permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; }; #Devoxx #jsm-reloaded @jckwart
  17. 17. Permission ● represents access right to a protected action ● has a type and target ● may have actions ● java.lang.AllPermission – unrestricted access to all resources – automatically granted to system classes #Devoxx #jsm-reloaded @jckwart
  18. 18. Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) #Devoxx #jsm-reloaded @jckwart
  19. 19. Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/passwd" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.FileInputStream.<init>(FileInputStream.java:135) at java.io.FileInputStream.<init>(FileInputStream.java:101) at java.io.FileReader.<init>(FileReader.java:58) at org.jboss.shared.Utils.getUserListInternal(Utils.java:36) at org.jboss.shared.Utils.getUsersList(Utils.java:28) at org.jboss.test.App.run(App.java:35) at org.jboss.test.App.main(App.java:28) system classes app-lib.jar app.jar #Devoxx #jsm-reloaded @jckwart
  20. 20. Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/passwd" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.FileInputStream.<init>(FileInputStream.java:135) at java.io.FileInputStream.<init>(FileInputStream.java:101) at java.io.FileReader.<init>(FileReader.java:58) at org.jboss.shared.Utils.getUserListInternal(Utils.java:36) at org.jboss.shared.Utils.getUsersList(Utils.java:28) at org.jboss.test.App.run(App.java:35) at org.jboss.test.App.main(App.java:28) system classes app-lib.jar app.jar #Devoxx #jsm-reloaded @jckwart
  21. 21. Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/passwd" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.FileInputStream.<init>(FileInputStream.java:135) at java.io.FileInputStream.<init>(FileInputStream.java:101) at java.io.FileReader.<init>(FileReader.java:58) at org.jboss.shared.Utils.getUserListInternal(Utils.java:36) at org.jboss.shared.Utils.getUsersList(Utils.java:28) at org.jboss.test.App.run(App.java:35) at org.jboss.test.App.main(App.java:28) system classes app-lib.jar app.jar #Devoxx #jsm-reloaded @jckwart
  22. 22. Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/passwd" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.FileInputStream.<init>(FileInputStream.java:135) at java.io.FileInputStream.<init>(FileInputStream.java:101) at java.io.FileReader.<init>(FileReader.java:58) at org.jboss.shared.Utils.getUserListInternal(Utils.java:36) at org.jboss.shared.Utils.getUsersList(Utils.java:28) at org.jboss.test.App.run(App.java:35) at org.jboss.test.App.main(App.java:28) system classes app-lib.jar app.jar #Devoxx #jsm-reloaded @jckwart
  23. 23. JSM quickstart ● set java.security.manager system property – no value → default implementation – class name → custom SecurityManager implementation ● set java.security.policy system property – path to text file with permission mappings ● set java.security.debug system property (optional) #Devoxx #jsm-reloaded @jckwart
  24. 24. Example: Run Application with JSM enabled java -Djava.security.manager -Djava.security.policy=/opt/jEdit/jEdit.policy -Djava.security.debug=access:failure -jar /opt/jEdit/jedit.jar /etc/passwd #Devoxx #jsm-reloaded @jckwart
  25. 25. Protect your systems Use Java Security Manager! #Devoxx #jsm-reloaded @jckwart
  26. 26. However ... #Devoxx #jsm-reloaded @jckwart
  27. 27. JSM issues - #1 performance #Devoxx #jsm-reloaded @jckwart
  28. 28. JSM issues - #2 policy file tooling #Devoxx #jsm-reloaded @jckwart
  29. 29. JSM Reloaded pro-grade library Set of SecurityManager and Policy implementations. #Devoxx #jsm-reloaded @jckwart
  30. 30. pro-grade library ● Java Security Manager made easy(ier) ● authors – Ondřej Lukáš – Josef Cacek ● Apache License http://pro-grade.sourceforge.net/ #Devoxx #jsm-reloaded @jckwart
  31. 31. pro-grade components #1 policy with deny entries #2 policy file generator #3 missing permissions debugger #Devoxx #jsm-reloaded @jckwart
  32. 32. #1 pro-grade policy with deny rules ● “subtracting” permissions from the granted ones ● helps to decrease count of mapped permissions Policy Rules Of Granting And DEnying GRANT DENY #Devoxx #jsm-reloaded @jckwart
  33. 33. #1 pro-grade policy with deny rules ● “subtracting” permissions from the granted ones ● helps to decrease count of mapped permissions // grant full access to /tmp folder grant { permission java.io.FilePermission "/tmp/-", "read,write"; }; // deny write access to the static subfolder of /tmp deny { permission java.io.FilePermission "/tmp/static/-", "write"; }; #Devoxx #jsm-reloaded @jckwart
  34. 34. #2 pro-grade policy file generator ● policytool on (a)steroids ● No GUI is better than any GUI! ● doesn't throw the AccessControlException #Devoxx #jsm-reloaded @jckwart
  35. 35. #3 pro-grade permissions debugger ● prints info about missing permissions to error stream without stopping application >> Denied permission java.io.FilePermission "/etc/passwd", "read"; >>> CodeSource: (file:/tmp/app-lib.jar <no signer certificates>) #Devoxx #jsm-reloaded @jckwart
  36. 36. Demo Security policy for Java EE server in 3 minutes. #Devoxx #jsm-reloaded @jckwart
  37. 37. Use Java Security Manager! #Devoxx #jsm-reloaded @jckwart
  38. 38. Use Java Security Manager! #Devoxx #jsm-reloaded @jckwart
  39. 39. Use Java Security Manager! Make it easy with pro-grade #Devoxx #jsm-reloaded @jckwart
  40. 40. pro-grade fighting JSM issues ● performance → deny rules helps ● policy file tooling → generator – fully automated → debugger – quick check what's missing #Devoxx #jsm-reloaded @jckwart
  41. 41. Thank you. Questions? josef.cacek@gmail.com @jckwart http://javlog.cacek.cz http://pro-grade.sourceforge.net http://github.com/pro-grade/pro-grade #Devoxx #jsm-reloaded @jckwart
  42. 42. Credits public domain images – pixabay.com public domain drawings – openclipart.org #Devoxx #jsm-reloaded @jckwart

×